Introduction

This document provides a configuration example for a LAN-to-LAN (L2L) VPN between Cisco IOS® and strongSwan. Both Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2) configurations are presented.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Basic knowledge about Linux configurations

Knowledge about VPN configurations on Cisco IOS

Knowledge about these protocols:

IKEv1

IKEv2

Internet Protocol Security (IPSec)

Components Used

The information in this document is based on these software versions:

Cisco IOS Release 15.3T

strongSwan 5.0.4

Linux kernel 3.2.12

Configure

Network Diagram

The topology is the same for both examples, which is an L2L tunnel between Cisco IOS and strongSwan.

Traffic is protected between 192.168.1.0/24<->192.168.2.0/24.

Open Source L2L IPSec VPNs

There are several Open Source projects that utilize Internet Key Exchange (IKE) and IPSec protocols to build secure L2L tunnels:

strongSwan: supports IKEv2 and EAP/mobility extensions, new Linux kernels 3.x and later that use NETKEY API (which is the name for native IPSec implementation in Kernel 2.6 and later) , actively maintained, well documented

Currently, the best choice is usually strongSwan. It is similar in configuration to Openswan yet there are several minor differences. This guide focuses on strongSwan and the Cisco IOS configuration.

By default, Cisco IOS uses the address as the IKE ID - that is why addresses have been used as 'rightid" and "leftid". strongSwan, like Cisco IOS, supports Next-Generation Cryptography (Suite B) - so it is possible to use 4096 Diffie-Hellman (DH) keys along with AES256 and SHA512.

For auto parameter, the "add" argument has been used. That brings up the tunnel after it gets interesting traffic. In order to start it immediately, the "start" argument could be used.